Purpose Limitation
The principle that personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
Purpose limitation is a core data protection principle established in GDPR Article 5(1)(b), requiring that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those original purposes. This means organizations must clearly define why they are collecting data before collection begins, communicate these purposes to data subjects through privacy notices, and not repurpose the data for unrelated objectives.
In the context of website compliance, purpose limitation has direct implications for how cookies and tracking technologies are used. If analytics cookies are deployed to measure page views, the data collected through them should not be repurposed for targeted advertising without a separate legal basis. Similarly, email addresses collected for order confirmations should not automatically be added to marketing lists. Each processing purpose needs its own legal basis, and changes in purpose may require obtaining new consent. Organizations must maintain documentation linking each data collection activity to its stated purpose.